Bug 966929 - wrong permissions for openvpn
Summary: wrong permissions for openvpn
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.9
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-05-24 09:38 UTC by Milos Malik
Modified: 2013-09-30 22:25 UTC (History)
2 users (show)

Fixed In Version: selinux-policy-2.4.6-344.el5
Doc Type: Bug Fix
Doc Text:
Clone Of: 966387
Environment:
Last Closed: 2013-09-30 22:25:42 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1312 0 normal SHIPPED_LIVE selinux-policy bug fix update 2013-09-30 21:13:27 UTC

Description Milos Malik 2013-05-24 09:38:23 UTC 
Description of problem:
openvpn fails to start since it cannot read/write to /var/log/openvpn.

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-342.el5
selinux-policy-targeted-2.4.6-342.el5
selinux-policy-minimum-2.4.6-342.el5
selinux-policy-devel-2.4.6-342.el5
selinux-policy-strict-2.4.6-342.el5
selinux-policy-mls-2.4.6-342.el5
openvpn-2.3.1-1.el5

How reproducible:
always.

Steps to Reproduce:
1. update to openvpn 2.3.1
2. try to start it
3. profit.

Actual results:
openvpn is unable to read/write /var/log/openvpn and won't start.

Expected results:
openvpn is able to read/write /var/log/openvpn and starts.

Additional info:
* audit.log:
type=AVC msg=audit(1369295332.800:771735): avc:  denied  { read write } for  pid=27856 comm="openvpn" name="openvpn" dev=dm-3 ino=263685 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:openvpn_var_log_t:s0 tclass=dir

* file context:
/var/log/openvpn.* all files system_u:object_r:openvpn_var_log_t:s0 

* sesearch -A -s openvpn_t | grep openvpn_var_log_t:
allow openvpn_t openvpn_var_log_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
--> class "dir" is missing

anyways: openvpn_t is allowed to read/write to var_log_t.

Following AVCs appeared in permissive mode:
----
time->Thu May 23 15:49:27 2013
type=PATH msg=audit(1369316967.990:995): item=0 name="/var/log/openvpn" inode=41295 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:openvpn_var_log_t:s0
type=CWD msg=audit(1369316967.990:995):  cwd="/etc/openvpn"
type=SYSCALL msg=audit(1369316967.990:995): arch=40000003 syscall=33 success=yes exit=0 a0=90fd8f8 a1=7 a2=90fddf4 a3=90fd8f8 items=1 ppid=32672 pid=32681 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="openvpn" exe="/usr/sbin/openvpn" subj=unconfined_u:system_r:openvpn_t:s0 key=(null)
type=AVC msg=audit(1369316967.990:995): avc:  denied  { read } for  pid=32681 comm="openvpn" name="openvpn" dev=sda3 ino=41295 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:openvpn_var_log_t:s0 tclass=dir
----
time->Thu May 23 15:49:27 2013
type=PATH msg=audit(1369316967.983:994): item=1 name="/var/log/openvpn/log" inode=38094 dev=08:03 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:openvpn_var_log_t:s0
type=PATH msg=audit(1369316967.983:994): item=0 name="/var/log/openvpn/" inode=41295 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:openvpn_var_log_t:s0
type=CWD msg=audit(1369316967.983:994):  cwd="/etc/openvpn"
type=SYSCALL msg=audit(1369316967.983:994): arch=40000003 syscall=5 success=yes exit=4 a0=90fddc4 a1=241 a2=180 a3=90fddc4 items=2 ppid=32672 pid=32681 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="openvpn" exe="/usr/sbin/openvpn" subj=unconfined_u:system_r:openvpn_t:s0 key=(null)
type=AVC msg=audit(1369316967.983:994): avc:  denied  { add_name } for  pid=32681 comm="openvpn" name="log" scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:openvpn_var_log_t:s0 tclass=dir
type=AVC msg=audit(1369316967.983:994): avc:  denied  { write } for  pid=32681 comm="openvpn" name="openvpn" dev=sda3 ino=41295 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:openvpn_var_log_t:s0 tclass=dir
----

Configuration file contained among others following lines at the time:
log /var/log/openvpn/log
status /var/log/openvpn/status
Comment 1 Milos Malik 2013-05-24 09:53:20 UTC 
----
time->Fri May 24 11:44:47 2013
type=PATH msg=audit(1369388687.005:83): item=0 name="/var/log/openvpn/log" inode=528110 dev=fd:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:openvpn_var_log_t:s0
type=CWD msg=audit(1369388687.005:83):  cwd="/etc/openvpn"
type=SYSCALL msg=audit(1369388687.005:83): arch=40000003 syscall=5 success=no exit=-13 a0=9a3ef5c a1=241 a2=180 a3=9a3ef5c items=1 ppid=6626 pid=6635 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="openvpn" exe="/usr/sbin/openvpn" subj=root:system_r:openvpn_t:s0 key=(null)
type=AVC msg=audit(1369388687.005:83): avc:  denied  { write } for  pid=6635 comm="openvpn" name="openvpn" dev=vda3 ino=528110 scontext=root:system_r:openvpn_t:s0 tcontext=system_u:object_r:openvpn_var_log_t:s0 tclass=dir
----
time->Fri May 24 11:44:47 2013
type=PATH msg=audit(1369388687.084:84): item=0 name="/var/log/openvpn" inode=528110 dev=fd:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:openvpn_var_log_t:s0
type=CWD msg=audit(1369388687.084:84):  cwd="/etc/openvpn"
type=SYSCALL msg=audit(1369388687.084:84): arch=40000003 syscall=33 success=no exit=-13 a0=9a41d20 a1=7 a2=6 a3=9a41d20 items=1 ppid=6626 pid=6635 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="openvpn" exe="/usr/sbin/openvpn" subj=root:system_r:openvpn_t:s0 key=(null)
type=AVC msg=audit(1369388687.084:84): avc:  denied  { read write } for  pid=6635 comm="openvpn" name="openvpn" dev=vda3 ino=528110 scontext=root:system_r:openvpn_t:s0 tcontext=system_u:object_r:openvpn_var_log_t:s0 tclass=dir
----
time->Fri May 24 11:44:47 2013
type=PATH msg=audit(1369388687.089:85): item=0 name="/tmp" inode=327681 dev=fd:03 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0
type=CWD msg=audit(1369388687.089:85):  cwd="/etc/openvpn"
type=SYSCALL msg=audit(1369388687.089:85): arch=40000003 syscall=33 success=no exit=-13 a0=80ba33f a1=7 a2=1 a3=bffb1c08 items=1 ppid=6626 pid=6635 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="openvpn" exe="/usr/sbin/openvpn" subj=root:system_r:openvpn_t:s0 key=(null)
type=AVC msg=audit(1369388687.089:85): avc:  denied  { read write } for  pid=6635 comm="openvpn" name="tmp" dev=vda3 ino=327681 scontext=root:system_r:openvpn_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
Comment 2 RHEL Program Management 2013-05-24 09:55:01 UTC 
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 5 Miroslav Grepl 2013-06-19 09:59:08 UTC 
Well this does not relate with log and probably should be opened as a new bug.
Comment 6 Milos Malik 2013-06-19 10:47:21 UTC 
The AVC was generated by the same TC and is a part of comment#1. Based on the recorded time I would say that the AVC is related to the scenario described in comment#0.
Comment 7 Miroslav Grepl 2013-06-19 11:31:21 UTC 
MIlos,
could you re-test it with a local policy 


type openvpn_tmp_t;
files_tmp_file(openvpn_tmp_t)

manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t)
files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
Comment 8 Milos Malik 2013-06-19 11:45:47 UTC 
When the local policy module is loaded, the AVC does not appear any more and the daemon starts as expected.
Comment 11 errata-xmlrpc 2013-09-30 22:25:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1312.html
Note You need to log in before you can comment on or make changes to this bug.